GRC & Compliance
The GRC module helps MSPs manage governance, risk, and compliance for client environments. It supports structured framework assessments, evidence collection, POAMs (Plans of Action & Milestones), and vendor risk management.
Compliance Dashboard
Navigate to GRC → Dashboard for a real-time compliance posture overview.
| Metric | Description |
|---|---|
| Frameworks | Number of active compliance frameworks |
| Open POAMs | Plans of Action & Milestones currently open or in progress |
| Overdue POAMs | POAMs past their scheduled completion date |
| Completed POAMs | POAMs successfully closed |
The dashboard also shows:
- Framework Compliance Scores — Per-framework progress bar (green ≥80%, yellow ≥50%, red below 50%)
- Automation Rules — Passing vs failing automated compliance checks
- Recent Assessments — Last 5 assessments with status, score, and progress
Frameworks
Navigate to GRC → Frameworks to manage compliance frameworks.
Supported Frameworks
The platform supports seeding standard frameworks with a single click (Seed Frameworks button). Available frameworks include:
- HIPAA
- SOC 2
- GDPR
- CCPA
- NIST CSF (Cybersecurity Framework)
- CIS Controls
You can also create custom frameworks with any name and version.
Framework Detail
Click into any framework to see its full control list, compliance score, and the status of each control (implemented / partial / not implemented / not applicable).
Assessments
Navigate to GRC → Assessments to manage control assessments.
Assessment Lifecycle
Draft → In Progress → Submitted → Under Review → Completed
Each assessment tracks:
| Field | Description |
|---|---|
| Name | Assessment identifier |
| Status | Current lifecycle state |
| Score | Percentage of controls met |
| Progress | responded_controls / total_controls |
| Due Date | Completion deadline |
Assessment Workflow
- Create an assessment tied to a framework
- Work through controls one by one — mark each as Implemented, Partial, Not Implemented, or Not Applicable
- Upload evidence for each control (see Evidence section)
- Submit for review
- After review, status moves to Completed
Evidence Collection
Navigate to GRC → Evidence to upload and manage evidence artifacts tied to specific controls.
Evidence items link a file or document to a control, creating an audit-ready trail that demonstrates compliance. Evidence can be attached from the Assessment view or uploaded directly in the Evidence module.
POAMs (Plans of Action & Milestones)
Navigate to GRC → POAM to manage remediation plans for controls that failed assessment.
A POAM records:
- The control that failed
- Root cause and planned remediation
- Owner
- Scheduled completion date
- Actual completion date
POAM Status
| Status | Description |
|---|---|
| Open | Identified, remediation not yet started |
| In Progress | Remediation underway |
| Completed | Control has been remediated |
| Cancelled | POAM closed without remediation (risk accepted) |
Overdue POAMs (past scheduled completion date with status Open or In Progress) are highlighted in red on the dashboard.
Vendor Risk
Navigate to GRC → Vendor Risk to manage third-party risk assessments.
For each vendor or third party, you can:
- Send a security questionnaire
- Record a risk rating
- Track review status and renewal dates
Vendor risk data contributes to your overall GRC posture score.
GRC AI Assistant
The GRC module includes an AI assistant that can help draft control responses, interpret framework requirements, and suggest evidence to gather. Access it from the GRC section of the platform.